Where Technology and the Law Meet

Archive for the ‘Uncategorized’ Category

The hiatus is officially over! After a reboot and relaunch of my new website – http://www.isecure.biz – I am happy to return to a life of blogging. The Emerging Business Advocate is not a place to discern legal advice. If that is what you seek, then please contact a practicing attorney – they should be able to help you. Rather, the content of this blog is to highlight new and emerging issues that the general audience may experience in a corporate business context. Comments and questions are welcomed and encouraged. For now, take a moment to peruse prior topics of interest, and see if you can find any discernable changes to issues an emerging business is confronted with.

Whether it is the targeted exploitation of corporate databases by state-sponsored groups, or the lack of judicial oversight on “warrants” issued by the National Security Agency, leaders are seeking solutions in response to the cybersecurity highlights of 2014. Thus far, the status quo response has been to develop reactive, check-the-box, risk management procedures. The current legal landscape for cybersecurity is comparable to that of workplace harassment and discrimination in the mid-1980’s (i.e. a frustrating lack of meaningful response and oversight to the mistreatment of a highly-valued organizational asset). Historically, the development in workplace behavior is primarily derived from the countless lawsuits filed in the mid-1980’s that culminated in the Anita Hill/Clarence Thomas Hearings. From a corporate culture standpoint, the Hill/Thomas Hearings represented a paradigm shift in workplace employment practices for many organizations. While we have not yet experienced such a tipping point in the cybersecurity context, FBI Director, James Coffey, succinctly stated on 60 Minutes, “[t]here are two types of publicly-traded companies, those who have been hacked by the Chinese, and those who do not know they have been hacked by the Chinese.”

Most all businesses in the State of Washington are comprised of heterogeneous devices (i.e. PDA’s, laptops, personal computers, etc.) that are operated over heterogeneous environments (i.e. office communication networks, open wireless networks, etc.). This makes securing mission-critical data exponentially more difficult. Additionally, the ecology of the Internet is such that data risk exposure is the proverbial elephant in the room. Many businesses are unable to proactively respond to a cybersecurity issue for a myriad of reasons:

Many executives see the issues around cybersecurity as being overblown

The organization has a mindset that it will deal with information management issues later

A perception that cybersecurity does not foster sharing and openness

The business is unable to decipher the relative importance of their proprietary information.

One risk management solution to cybersecurity is simply transferring the risk to a third-party (i.e. buy cyber-insurance). There are plenty of available cyber-policies being offered in the marketplace by insurance providers, but understanding the nuances of what is covered in the policy is a critical procurement decision. For example, a policy that covers an insured against third-party data loss may protect the business against third-party claims, but that does not necessarily mean the insured will recover its direct loss. Additionally, investment in a first-party policy may be more cost prohibitive than self-insuring against all direct and indirect losses.

An alternative approach to dealing with cybersecurity is for organizational leadership to design a “tone at the top” governance strategy. In order to mitigate the unauthorized release of mission-critical data, corporations should explore a paradigm shift in cybersecurity away from the check-the-box procedures to a Control Conscious Corporate Culture. Laws and regulations will continue to act as an arbiter in leveling the playing field, but the ebbs and flows of regulatory guidance also create legal uncertainties. A Control Conscious Corporate Culture goes beyond technology, and, focuses, to a much greater degree, on the systematic processes and people that are within, and unique to, an organization. The behavioral choices we make – to disregard the processes – as humans has an equally catastrophic impact on the technology that supports the business. A Control Conscious Corporate Culture is accomplished through the hiring and promotion of people with the desired values, adoption of a formal set of internal controls, and the deployment of quality technology premised on core values that uniquely identify the organization from its competition.

IT departments are chartered with safeguarding mission-critical assets, but the application of better processes and employee training should be included when developing a more robust data governance strategy. Much like employment practices, the government expects organizations to be good corporate citizens, and self-monitor to ensure compliance with all laws and regulations. The ability to maintain the confidentiality, accessibility, and integrity of critical knowledge resources will accumulate long-term benefits like good public relations; high customer satisfaction; preservation of intellectual property and competitive advantage; higher investor confidence; and higher valuation.

For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice. The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy. The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.

Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information. In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students. Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint. Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed. A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.

Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place. Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES. Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential. Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money. From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.

October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that). Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses. Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time. The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring. According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”

The answer is quite simple, “because the can.” Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States. In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Large corporations have a vast repository of information related to company data, customer data, and customers customer data. However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively. Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars. That’s a ton of money, but the data breach did not prevent customers from shopping at Target. Post-breach, Target customers paid for their purchases either using cash or pre-paid cards. The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.

As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans. This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations. That could not be further from the truth. Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce. From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.

The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them. A different response should be to fight back. Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it. Know where the weaknesses in the organization lie, and address it accordingly. Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets. Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.

The Federal Bureau of Investigations announced a public service campaign today to bring attention to the $13 billion dollars in lost trade secrets to U.S. businesses by way of state-sponsored organizations and organized-criminal elements. In February, 2012, five companies and individuals were charged with economic espionage and theft of trade secrets for their role in trying to obtain information on a chemical known as chloride-route titanium (TiO2). TiO2 is a commercially valuable white pigment with numerous uses, including coloring paints, plastics, and paper. DuPont, a company based in Wilmington, Delaware, invented the chloride-route process for manufacturing TiO2 and invested heavily in research and development to improve the process over the years. In 2011, the company reported that its TiO2 trade secrets had been stolen. A federal indictment disclosed that the People’s Republic of China was interested in learning more about the chemicals capabilities.

On their website, the FBI identifies ways for a company to spot if an employee may be spying and trying to steal corporate trade secrets. As a courtesy, I am posting the list here:

They work odd hours without authorization.

Without need or authorization, they take proprietary or other information home in hard copy form and/or on thumb drives, computer disks, or e-mail.

They unnecessarily copy material, especially if it’s proprietary or classified.

A “Point-of-Sale” (POS) terminal is the hardware and software used by retailers during the checkout process of its respective customers. Just like any technology-interfacing device, POS terminals are, and have been, subjected to fraudulent activities. Recent trends point to hackers accessing the information stored on these devices to commit widespread fraud throughout the United States and abroad. What’s even more disturbing about this trend is how POS hacking has shifted from a localized crime to a much broader, more organized, crime that spans a larger geographic region.

The geographic breadth, according to an article published by Computerworld, suggests that the attacks are the “network of criminals who [go] into [retail] stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices” designed to steal payment data.” Computerworld goes on to report, “[t]he theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that customer PIN numbers could be captured before it was encrypted.” It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.

The level of sophistication employed by organized criminal enterprises around POS hacking should cause many retailers during this holiday season to question their existing data governance strategies. This crime can go undetected for some time, often causing more monetary damage than would be expected if appropriate safeguards are in place.

In The New York Times today, Steve Lohr wrote an article about how the drive towards making patient records available online has taken a huge step forward by a major New York regional hospital group, North Shore-Long Island Jewish Health System. The group plans on offering its affiliated doctors subsidies of up to $40,000 each over five years to adopt digital patient records. This would be in addition to the federal government subsidies for computerizing patient records, which could total $44,000. The hospitals see this as a two-fold proposition: (1) it allows to share data amongst offices, labs, and hospitals that reduce unnecessary tests and cut down on medical mistakes; and (2) it’s a way for the hospitals to strengthen their bonds with their doctors, due to the fact that some independent doctors affiliate with more than one organization.

According to Mr. Lohr, the government-backed campaign to hasten the adoption of electronic health records has the potential not only to change how health care is delivered. It could also influence which institutions emerge as leaders in delivering care, as some local markets consolidate further. “We are going to change how we deliver care, and we should be held accountable for outcomes — not just measured on the number of procedures performed,” Mr. Dowling said. Indeed, the rationale for investing in digital records is that the technology can be used to help monitor and measure the results of care, providing the evidence needed to shift remuneration away from the current fee-for-service system, which encourages more tests, more procedures and more pills prescribed.

With all this talk about "incentives", healthcare providers need to ensure its patients that their personal healthcare information is accessible only to parties with privity. Having a comprehensive data governance program implemented throughout the organization is the only way for these providers to be assured that the confidentiality, integrity, and accessibility of those records are preserved.. Who is getting accessibility to private medical data, and whether the medium used is adequate to ensure confidentiality, will be determinative of who is held "accountable for outcomes."